<p>Amazon Simple Queue Service (SQS) is a managed message queuing service for application-to-application (A2A) communication. Amazon SQS can store
messages encrypted as soon as they are received. In the case that adversaries gain physical access to the storage medium or otherwise leak a message
from the file system, for example through a vulnerability in the service, they are not able to access the data.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The queue contains sensitive data that could cause harm when leaked. </li>
  <li> There are compliance requirements for the service to store data encrypted. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It’s recommended to encrypt SQS queues that contain sensitive information. Encryption and decryption are handled transparently by SQS, so no
further modifications to the application are necessary.</p>
<h2>Sensitive Code Example</h2>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html"><code>aws-cdk-lib.aws-sqs.Queue</code></a></p>
<pre>
import { Queue } from 'aws-cdk-lib/aws-sqs';

new Queue(this, 'example', {
    encryption: QueueEncryption.UNENCRYPTED // Sensitive
});
</pre>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.html"><code>aws-cdk-lib.aws-sqs.CfnQueue</code></a></p>
<pre>
import { CfnQueue } from 'aws-cdk-lib/aws-sqs';

new CfnQueue(this, 'example', {
    sqsManagedSseEnabled: false // Sensitive
});
</pre>
<h2>Compliant Solution</h2>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html"><code>aws-cdk-lib.aws-sqs.Queue</code></a></p>
<pre>
import { Queue } from 'aws-cdk-lib/aws-sqs';

new Queue(this, 'example', {
    encryption: QueueEncryption.SQS_MANAGED
});
</pre>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.html"><code>aws-cdk-lib.aws-sqs.CfnQueue</code></a></p>
<pre>
import { CfnQueue } from 'aws-cdk-lib/aws-sqs';

new CfnQueue(this, 'example', {
    sqsManagedSseEnabled: true
});
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html">AWS Documentation</a> -
  Encryption at rest </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/311">CWE-311 - Missing Encryption of Sensitive Data</a> </li>
  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222588">Application Security and
  Development: V-222588</a> - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at
  rest. </li>
</ul>
